Collaboration, Activity Monitoring Key to Identifying Hacker
The FBI recently reflected on the the arrest of a hacker who stole intellectual property from a tech company, including how collaboration and activity monitoring played a role in tracking him down.
When Christian William Kight – a.k.a. Drillo – hacked into an Atlanta-based computer analytics company in 2017, he thought he was covering his tracks. He used virtual private networks (VPNs), deleted log data, and took other steps to conceal his identity and obfuscate his location.
After gaining a foothold into the unnamed company’s systems – something he was able to do after learning how to download scripts from hacker forums – he downloaded the company’s data to his machine and deleted it from the company’s systems.
Kight, who plead guilty to extortion, computer fraud, and wire fraud and was sentenced to more than seven years in prison this past spring, exfiltrated data files and deleted data and log files after he was done but still left some traces of his activity behind however.
According to the FBI, when the company contacted the agency, it shared critical information from its network's access logs and other records that were instrumental in tracking Drillo down. Ultimately the information let them surmise Kight's IP address - a search warrant of his San Clemente, California residence yielded even more evidence.
Despite occurring more than two years ago, the FBI recently elaborated on the case on its website, something it does from time to time after the dust has settled and a sentence has been handed down.
“In the cyber world, it’s very hard to secure a network to the point that it’s never breachable, but you can make it as difficult as possible to break in,” Tyson Fowler, a special agent with the FBI, said last month, reflecting on the case.
After he had deleted the data, Kight attempted to extort money from the company in exchange for its intellectual property. When the company said it was going to contact law enforcement, he doubled down his efforts and threatened to send "reputation-harming letters to the company’s clients and disseminate the data he had stolen."
According to the FBI, Kight defended his actions, claiming he wasn't trying to extort the company but instead trying to “work out a deal.”
“And no, I’m really NOT an extortionist,” Kight wrote in an email to the CEO, per the FBI, “I would like to see how much you think it’s worth, and if it’s fair, we'll leave it at that.”
The U.S. Attorney overseeing the case said in March that Kight actually gained access to multiple companies and organizations – it was just the analytics company that he attempted to extort.
“Kight’s scheme against this company is unfortunately all too common and highlights the ever-growing need to remain vigilant in cybersecurity efforts,” Chris Hacker, the head of the FBI’s Atlanta office, added, after Kight’s sentencing was announced.
On top of stealing the company’s data and attempting to extort it, he also offered the company’s CEO a 40-page report of the company’s “security shortcomings,” screenshots to show he’d obtained the data, and a video file documenting his hacking.
The company was able to recover the data within a few days thanks to what the FBI deemed a "robust backup system" but that doesn’t alter the fact that its sensitive data was stolen.
Strong activity monitoring helped authorities track the hacker but having stronger defenses in place, around securing sensitive data like IP may have prevented it from being taken, moved, or deleted in the first place.